FinSpy spyware analysis

We have collaborated with Amnesty International for whom we have analyzed a new variant of the FinSpy spyware.

Executive summary

By analyzing the sample we found what we suspect to be a new version of the FinFisher’s malware FinSpy for Android.

Even though the malware behavior and capabilities seem to be the same as what it has already been described in the past, this version goes a step further to hide the malware configuration and its capabilities.

This new version we named DexDen has very likely been released between May 2017 and October 2019.

Command and control server associated to the malware configuration is still alive by the time we wrote this report.

In terms of capabilities, the sample we have analyzed is meant to exfiltrate SIM card information, SMS log, call log, calendar events, address book, messages and files from 12 popular messenger applications and to track victim’s location.

This report provides details on how strings are obfuscated, how the communication protocol has evolved and how the extraction of three technical aspects of the malware can give insights on the malware code-base evolution.

Overview

This report focuses on the analysis of the sample described below.

Sample file

FilenameWIFI.apk
Size2.87MB
MD579ba96848428337e685e10b06ccc1c89
SHA-151b31827c1d961ced142a3c5f3efa2b389f9c5ad
SHA-256854774a198db490a1ae9f06d5da5fe6a1f683bf3d7186e56776516f982d41ad3
Application namewifi
Packageorg.xmlpush.v3
Main activityorg.xmlpush.v3.StartVersion

Sample certificate

SubjectCN='MITAS Ltd.'
Signature Alg.rsassa_pkcs1v15
Validity2017-05-27 - 2023-05-26
IssuerCN='MITAS Ltd.'
Hash Alg.sha256
MD5b99ac605872a55e609854176413e603c
SHA-17c6e4f2e84ebaa8d25040f63d840e14f6f822125
SHA-2568052584eacfd199602b348ef60e20c246ec929d62bc5b85fd0e60ba3205b05a2

For this analysis we use the following tools:

We share the following assets on our GitHub repository:

  • java_parser.py to extract obfuscated from Java code
  • string_decoder.py to decode obfuscated strings
  • table.ods containing TLV types and decoded strings
  • FinSpy.yar Yara rules detecting FinSpy variants

Tiny tools

Yara rules

rule FinSpy_ConfigInAPK : android apkhideconfig finspy
{
	meta:
		description = "Detect FinFisher FinSpy configuration in APK file. Probably the original FinSpy version."
		date = "2020/08/05"
		reference = "https://github.com/devio/FinSpy-Tools"
		author = "Esther Onfroy a.k.a U+039b - *@0x39b.fr (https://twitter.com/u039b)"

	strings:
		$re = /\x50\x4B\x01\x02[\x00-\xff]{32}[A-Za-z0-9+\/]{6}/

	condition:
		uint32(0) == 0x04034b50 and $re and (#re > 50)
}

rule FinSpy_DexDen : android dexhideconfig finspy
{
	meta:
		description = "Detect FinFisher FinSpy configuration in DEX file. Probably a newer FinSpy variant."
		date = "2020/08/05"
		author = "Esther Onfroy a.k.a U+039b - *@0x39b.fr (https://twitter.com/u039b)"

	strings:
		$config_1 = { 90 5b fe 00 }
		$config_2 = { 70 37 80 00 }
		$config_3 = { 40 38 80 00 }
		$config_4 = { a0 33 84 }
		$config_5 = { 90 79 84 00 }

	condition:
		uint16(0) == 0x6564 and
		#config_1 >= 2 and 
		#config_2 >= 2 and 
		#config_3 >= 2 and 
		#config_4 >= 2 and 
		#config_5 >= 2
}

rule FinSpy_TippyTime: finspyTT
{
	meta:
		description = "Detect FinFisher FinSpy 'TippyTime' variant."
		date = "2020/08/05"
		author = "Esther Onfroy a.k.a U+039b - *@0x39b.fr (https://twitter.com/u039b)"
	strings:
		$config_1 = { 90 5b fe 00 }
		$config_2 = { 70 37 80 00 }
		$config_3 = { 40 38 80 00 }
		$config_4 = { a0 33 84 }
		$config_5 = { 90 79 84 00 }
		$timestamp = { 95 E9 D1 5B }

	condition:
		uint16(0) == 0x6564 and
		$timestamp and
		$config_1 and 
		$config_2 and 
		$config_3 and 
		$config_4 and 
		$config_5
}

rule FinSpy_TippyPad: finspyTP
{
	meta:
		description = "Detect FinFisher FinSpy 'TippyPad' variant."
		date = "2020/08/05"
		author = "Esther Onfroy a.k.a U+039b - *@0x39b.fr (https://twitter.com/u039b)"
	strings:
		$pad_1 = "0123456789abcdef"
		$pad_2 = "fedcba9876543210"

	condition:
		uint16(0) == 0x6564 and
		#pad_1 > 50 and
		#pad_2 > 50
}

Script to plot CFG

import networkx as nx
from androguard.misc import AnalyzeAPK
from graphviz import Digraph as dg

apk = '<path to you APK>'
a, d, dx = AnalyzeAPK(apk)
call_graph = dx.get_call_graph()
graph = nx.empty_graph()


def clean_name(name):
    return name[0:name.rfind(')')+1]


graphs = {
    'audio': [
        {
            'class': 'Landroid/media/AudioRecord',
            'method': 'startRecording'
        },
        {
            'class': 'Landroid/media/AudioManager',
            'method': 'setMicrophoneMute'
        },
    ],
    'read_sms_configuration': [
        {
            'class': 'Landroid/telephony/SmsMessage',
            'method': 'getPdu'
        },
        {
            'class': 'Landroid/telephony/SmsMessage',
            'method': 'getMessageBody'
        },
        {
            'class': 'Landroid/telephony/SmsMessage',
            'method': 'getUserData'
        },
        {
            'class': 'Lorg/xmlpush/v3/q/c',
            'method': '<init>'
        },
        {
            'class': 'Lorg/xmlpush/v3/q/c',
            'method': 'a',
            'starts_with': 'Lorg/xmlpush/v3/q/c;->a([Ljava'
        },
    ],
}

for g in graphs:
    fg = dg(engine='dot',
            format='png',
            graph_attr={'overlap': 'orthoxy',
                        'diredgeconstraints': 'true',
                        'splines': 'ortho'},
            node_attr={'shape': 'box',
                       'style': 'filled',
                       'fontcolor': '#212529',
                       'fontsize': '10',
                       'fontname': 'sans-serif'})

    methods = []
    for search in graphs[g]:
        for m in dx.find_methods(methodname=search['method'], classname=search['class']):
            if 'starts_with' in search:
                cm = clean_name(str(m.get_method()))
                if cm.startswith(search['starts_with']):
                    methods.append(m)
            else:
                methods.append(m)

    for m in methods:
        fg.node(clean_name(str(m.get_method())), color='#985e6d', fontcolor='white')
        ancestors = nx.ancestors(call_graph, m.get_method())
        ancestors.add(m.get_method())
        graph = call_graph.subgraph(ancestors)
        for n, d in graph.in_degree():
            if d == 0:
                fg.node(clean_name(str(n)), color='#494e6b', fontcolor='white')
        for u, v in graph.edges:
            fg.edge(clean_name(str(u)), clean_name(str(v)))

    fg.render(g)

A suspected new FinSpy version

FinSpy capabilities and technical aspects are widely documented online. In this section we focus on what we suspect to be clues of a new version of FinSpy for Android.

To do so, we investigate on the following parameters:

  • location of the FinSpy configuration
  • string obfuscation
  • local socket address generation
  • unknown TLV types

Configuration storage

As far as we know, FinSpy stores its configuration into APK metadata. It was well documented and extraction tools are available online:

  • https://github.com/devio/FinSpy-Tools
  • https://github.com/SpiderLabs/malware-analysis/blob/master/Ruby/FinSpy/

The sample we investigate on shows that the FinSpy configuration is stored into the DEX file.

FinSpy configuration stored into the DEX

FinSpy configuration stored into the DEX

Even if existing extraction tools failed to extract the configuration from the DEX, parsing tools succeeded to parse it. The structure of the configuration remains the same, only its storage location has changed.

We name this FinSpy variant DexDen.

String obfuscation

As far as we know, FinSpy strings defined in its code are not obfuscated. The sample we analyze is different, all Java strings are obfuscated. Each Java class using strings implements the following 2 Java methods:

  • String OOOoOoiIoIIiO0o01I1I00(final int index) returning the obfuscated string as bytes at the given index.
  • byte[] i1IlIil011Iiil(final byte[] array, final byte[] array2) decoding an obfuscated string.
Example of obfuscated strings and the two decoding TippyPads

Example of obfuscated strings and the two decoding TippyPads

Example of the Java method decoding obfuscated strings

Example of the Java method decoding obfuscated strings

Strings are decoded by XORing of the obfuscated one with one of the two pads. The pad is selected according to the index mod 2. Pads are the same for all Java classes using strings:

  • 0123456789abcdef
  • fedcba9876543210

We have developed a Python script parsing the entire Java code to retrieve obfuscated strings java_parser.py and one to decode them string_decoder.py.

We denote this kind of string obfuscation TippyPad for short.

Local socket address generation

FinSpy uses Unix socket to communicate between threads. The local socket address is generated by hashing the values of the following system properties:

  • ro.product.model
  • ro.product.brand
  • ro.product.name
  • ro.product.device
  • ro.product.manufacturer
  • ro.build.fingerprint

An utility method meant to encode data and generate local socket address uses the timestamp 1540483477 corresponding to Thu 25 October 2018 16:04:37 UTC. Java method generating local socket address is listed below.

Java method generating the local socket address

Java method generating the local socket address

We denote this kind of address generation TippyTime for short.

Unknown TLV types

After leaks about FinFisher and FinSpy, community has reversed the different TLV values used in data marshaling/unmarshaling to ensure a common data format between C2s and implants. These values are available online: https://github.com/devio/FinSpy-Tools/blob/master/Android/finspyCfgParse.py

The FinSpy version we analyze seems to be using unknown TLV values. To get some meaning about the different unknown TLV values, we reversed existing values. We were able to detect semantic groups based on the binary representation of these values.

The Python script we developed recovers groups based on existing values. Then parses the sample Smali code to extract unknown TLV values. We used a patched version of Smalisca to do so. We have extracted the following suspected unknown TLV values. The entire list of TLV and groups is available in the GitHub repository.

To determine the group the TLV value belongs to just mask that value with 0xFFFFF800.

Group IDGroup nameTLV valueKnown TLVTLV name
64drives all get131488TlvTypeGetAllDrivesRequest
64drives all get131744TlvTypeGetAllDrivesReply
66contents folder get135328TlvTypeGetFolderContentsRequest
66contents folder get135584TlvTypeGetFolderContentsReply
66contents folder get135840TlvTypeGetFolderContentsNext
66contents folder get136096TlvTypeGetFolderContentsEnd
68download file139424TlvTypeDownloadFileRequest
68download file139680TlvTypeCancelDownloadFileRequest
68download file139936TlvTypeDownloadFileReply
68download file140192TlvTypeDownloadFileNext
68download file140448TlvTypeDownloadFileEnd
68download file140704TlvTypeCancelDownloadFileReply
70upload file143520TlvTypeUploadFileRequest
70upload file143776TlvTypeCancelUploadFileRequest
70upload file144032TlvTypeUploadFileReply
70upload file144288TlvTypeUploadFileNext
70upload file144544TlvTypeUploadFileEnd
70upload file144800TlvTypeUploadFileCompleted
70upload file145056TlvTypeCancelUploadFileReply
72delete file147616TlvTypeDeleteFileRequest
72delete file147872TlvTypeDeleteFileReply
74search file151968TlvTypeSearchFileRequest
74search file152224TlvTypeSearchFileReply
74search file152480TlvTypeSearchFileNext
74search file152736TlvTypeSearchFileEnd
74search file152992TlvTypeCancelSearchFileRequest
74search file153248TlvTypeCancelSearchFileReply
78fs159888TlvTypeFSFileDataChunk
78fs160128TlvTypeFSDiskDrive
78fs160384TlvTypeFSFullPath
78fs160640TlvTypeFSFilename
78fs160896TlvTypeFSFileExtension
78fs161088TlvTypeFSDiskDriveType
78fs161408TlvTypeFSFileSize
78fs161584TlvTypeFSIsFolder
79fs161840TlvTypeFSReadOnly
79fs162096TlvTypeFSHidden
79fs162352TlvTypeFSSystem
79fs162688TlvTypeFSFileCreationTime
79fs162944TlvTypeFSFileLastAccessTime
79fs163200TlvTypeFSFileLastWriteTime
79fs163472TlvTypeFSFullPathM
79fs163632×unknown
82system config file168096TlvTypeGetFileSystemConfigRequest
82system config file168352TlvTypeFileSystemConfigReply
82system config file168608TlvTypeSetFileSystemConfigRequest
128line cmd262560TlvTypeStartCmdLineSessionRequest
128line cmd262816TlvTypeStartCmdLineSessionReply
128line cmd263072TlvTypeStopCmdLineSessionRequest
128line cmd263328TlvTypeCmdLineSessionStoppedReply
128line cmd263584TlvTypeCmdLineExecute
128line cmd263840TlvTypeCmdLineExecutionResult
130line cmd execute266352TlvTypeCmdLineExecuteCommand
130line cmd execute266560TlvTypeCmdLineExecuteAnswerID
130line cmd execute266864TlvTypeCmdLineExecuteAnswerData
146line config cmd299168TlvTypeGetCmdLineConfigRequest
146line config cmd299424TlvTypeCmdLineConfigReply
146line config cmd299680TlvTypeSetCmdLineConfigRequest
160config scheduler328096TlvTypeGetSchedulerConfigRequest
160config scheduler328352TlvTypeSchedulerConfigReply
160config scheduler328608TlvTypeSetSchedulerConfigRequest
162task scheduler331920TlvTypeSchedulerTask
162task scheduler332192TlvTypeSchedulerTaskRecordByTime
162task scheduler332448TlvTypeSchedulerTaskRecordScreenWhenAppRuns
162task scheduler332704TlvTypeSchedulerTaskRecordMicWhenAppUsesIt
162task scheduler332960TlvTypeSchedulerTaskRecordWebCamWhenAppUsesIt
176sch360592TlvTypeSCHTaskConfiguration
176sch360752TlvTypeSCHTaskEnabled
176sch361344TlvTypeSCHTaskStartDateTime
176sch361600TlvTypeSCHTaskStopDateTime
176sch362112TlvTypeSCHApplicationName
176sch362288TlvTypeSCHApplicationWindowOnly
512microphone1048992TlvTypeStartMicrophoneRequest
512microphone1049248TlvTypeStartMicrophoneReply
512microphone1049504TlvTypeMicrophoneFrame
512microphone1049760TlvTypeStopMicrophoneRequest
512microphone1050016TlvTypeMicrophoneStoppedReply
512microphone1050272TlvTypeStartMicrophoneRecording
5141052736TlvTypeMICFrameID
5141053072TlvTypeMICFrameData
5141053312TlvTypeAudioSessionType
5141053568TlvTypeAudioEncodingType
518audio config1061024TlvTypeGetAudioConfigRequest
518audio config1061280TlvTypeAudioConfigReply
518audio config1061536TlvTypeSetAudioConfigRequest
520type video1066112TlvTypeVideoSessionType
520type video1066368TlvTypeVideoEncodingType
544screen1114528TlvTypeStartScreenRequest
544screen1114784TlvTypeStartScreenReply
544screen1115040TlvTypeScreenFrame
544screen1115296TlvTypeStopScreenRequest
544screen1115552TlvTypeScreenStoppedReply
544screen1115808TlvTypeStartScreenRecording
548cam web1122720TlvTypeStartWebCamRequest
548cam web1122976TlvTypeStartWebCamReply
548cam web1123232TlvTypeWebCamFrame
548cam web1123488TlvTypeStopWebCamRequest
548cam web1123744TlvTypeWebCamStoppedReply
548cam web1124000TlvTypeStartWebCamRecording
550config video1126560TlvTypeGetVideoConfigRequest
550config video1126816TlvTypeVideoConfigReply
550config video1127072TlvTypeSetVideoConfigRequest
5521130560TlvTypeVDFrameID
5521130896TlvTypeVDFrameData
5521131136TlvTypeOriginalVideoResolution
5521131392TlvTypeVideoResolution
5521132160TlvTypeAutomaticRecordingUID
576key logging1180064TlvTypeStartKeyLoggingRequest
576key logging1180320TlvTypeStartKeyLoggingReply
576key logging1180576TlvTypeKeyLoggingFrame
576key logging1180832TlvTypeStopKeyLoggingRequest
576key logging1181088TlvTypeKeyLoggingStoppedReply
582config keylogger1192096TlvTypeGetKeyloggerConfigRequest
582config keylogger1192352TlvTypeKeyloggerConfigReply
582config keylogger1192608TlvTypeSetKeyloggerConfigRequest
584kl frame data1196416TlvTypeKLFrameData
640skype1311136TlvTypeSkypeAudioMetaInfo
640skype1311376TlvTypeSkypeAudioRecording
640skype1311648TlvTypeSkypeTextRecording
640skype1311904TlvTypeSkypeFileMetaInfo
640skype1312144TlvTypeSkypeFileRecording
640skype1312416TlvTypeSkypeContactsRecording
640skype1312640TlvTypeSkypeContactsUserData
646config skype1323168TlvTypeGetSkypeConfigRequest
646config skype1323424TlvTypeSkypeConfigReply
646config skype1323680TlvTypeSetSkypeConfigRequest
646config skype1324336TlvTypeConfigSkypeAudioEnable
646config skype1324592TlvTypeConfigSkypeTextEnable
646config skype1324848TlvTypeConfigSkypeFileEnable
647config contacts enable list skype1325104TlvTypeConfigSkypeContactsListEnable
648skype1327232TlvTypeSkypeAudioEncodingType
648skype1327488TlvTypeSkypeLoggedInUserAccountName
648skype1327744TlvTypeSkypeConversationPartnerAccountName
648skype1328000TlvTypeSkypeConversationPartnerDisplayName
648skype1328256TlvTypeSkypeChatMembers
648skype1328512TlvTypeSkypeTextMessage
648skype1328768TlvTypeSkypeChatID
648skype1329024TlvTypeSkypeSenderAccountName
649skype1329280TlvTypeSkypeSenderDisplayName
649skype1329536TlvTypeSkypeIncoming
649skype1329792TlvTypeSkypeSessionType
704changed file1442208TlvTypeChangedFileMetaInfo
704changed file1442432TlvTypeChangedFileChangeTime
704changed file1442688TlvTypeChangedFileChangeEvent
704changed file1442960TlvTypeChangedFileRecording
710config changed1454240TlvTypeGetChangedConfigRequest
710config changed1454496TlvTypeChangedConfigReply
710config changed1454752TlvTypeSetChangedConfigRequest
710config changed1454912TlvTypeConfigChangedEvents
7361507744TlvTypeAccessedFileMetaInfo
7361507968TlvTypeAccessedFileAccessTime
7361508224TlvTypeAccessedFileAccessEvent
7361508496TlvTypeAccessedFileRecording
7361508736TlvTypeAccessedApplicationName
7361508912TlvTypeConfigRecordImagesFromExplorer
742accessed config1519776TlvTypeGetAccessedConfigRequest
742accessed config1520032TlvTypeAccessedConfigReply
742accessed config1520288TlvTypeSetAccessedConfigRequest
742accessed config1520448TlvTypeConfigAccessedEvents
768print1573280TlvTypePrintFileMetaInfo
768print1573520TlvTypePrintFrame
772print1581184TlvTypePrintApplicationName
772print1581440TlvTypePrintFilename
772print1581696TlvTypePrintEncodingType
774print config1585312TlvTypeGetPrintConfigRequest
774print config1585568TlvTypePrintConfigReply
774print config1585824TlvTypeSetPrintConfigRequest
800deleted1638816TlvTypeDeletedFileMetaInfo
800deleted1639296TlvTypeDeletedFileDeletionTime
800deleted1639552TlvTypeDeletedFileRecycleBin
800deleted1639808TlvTypeDeletedMethod
800deleted1640064TlvTypeDeletedApplicationName
800deleted1640336TlvTypeDeletedFileRecording
806config deleted1650848TlvTypeGetDeletedConfigRequest
806config deleted1651104TlvTypeDeletedConfigReply
806config deleted1651360TlvTypeSetDeletedConfigRequest
1024application upload forensics2097568TlvTypeUploadForensicsApplicationRequest
1024application upload forensics2097824TlvTypeUploadForensicsApplicationReply
1024application upload forensics2098080TlvTypeUploadForensicsApplicationChunk
1024application upload forensics2098336TlvTypeUploadForensicsApplicationDoneRequest
1024application upload forensics2098592TlvTypeUploadForensicsApplicationDoneReply
1026application remove forensics2101664TlvTypeRemoveForensicsApplicationRequest
1026application remove forensics2101920TlvTypeRemoveForensicsApplicationReply
1028app forensics execute2105760TlvTypeForensicsAppExecuteRequest
1028app forensics execute2106016TlvTypeForensicsAppExecuteReply
1028app forensics execute2106272TlvTypeForensicsAppExecuteResult
1028app forensics execute2106528TlvTypeForensicsAppExecuteResultChunk
1028app forensics execute2106784TlvTypeForensicsAppExecuteResultDone
1028app forensics execute2107040TlvTypeForensicsCancelAppExecuteRequest
1028app forensics execute2107296TlvTypeForensicsCancelAppExecuteReply
1030config forensics2109600TlvTypeGetForensicsConfigRequest
1030config forensics2109856TlvTypeForensicsConfigReply
1030config forensics2110112TlvTypeSetForensicsConfigRequest
1032application config info forensics2113680TlvTypeConfigForensicsApplicationInfoGeneric
1032application config info forensics2113952TlvTypeConfigForensicsApplicationInfo
1034forensics2117760TlvTypeConfigForensicsApplicationName
1034forensics2117952TlvTypeConfigForensicsApplicationSize
1034forensics2118208TlvTypeConfigForensicsApplicationID
1034forensics2118528TlvTypeConfigForensicsApplicationCmdline
1034forensics2118784TlvTypeConfigForensicsApplicationOutput
1034forensics2118976TlvTypeConfigForensicsApplicationTimeout
1034forensics2119232TlvTypeConfigForensicsApplicationVersion
1034forensics2119552TlvTypeForensicsFriendlyName
1035output application config forensics2119808TlvTypeConfigForensicsApplicationOutputPrepend
1035output application config forensics2120064TlvTypeConfigForensicsApplicationOutputContentType
1056vo meta info ip2163104TlvTypeVoIPMetaInfo
1058vo ip2166912TlvTypeVoIPEncodingType
1058vo ip2167168TlvTypeVoIPSessionType
1058vo ip2167424TlvTypeVoIPApplicationName
1058vo ip2167696TlvTypeVoIPAppScreenshot
1058vo ip2167952TlvTypeVoIPAudioRecording
1058vo ip2168112TlvTypeConfigVoIPScreenshotEnabled
1062vo config ip2175136TlvTypeGetVoIPConfigRequest
1062vo config ip2175392TlvTypeVoIPConfigReply
1062vo config ip2175648TlvTypeSetVoIPConfigRequest
1088clicks mouse2228640TlvTypeMouseClicksMetaInfo
1088clicks mouse2228896TlvTypeMouseClicksFrame
1090clicks mouse2232448TlvTypeMouseClicksEncodingType
1090clicks mouse2232896TlvTypeConfigMouseClicksRectangle
1090clicks mouse2233152TlvTypeConfigMouseClicksSensitivity
1090clicks mouse2233408TlvTypeConfigMouseClicksType
1094clicks config mouse2240672TlvTypeGetMouseClicksConfigRequest
1094clicks config mouse2240928TlvTypeMouseClicksConfigReply
1094clicks config mouse2241184TlvTypeSetMouseClicksConfigRequest
2112sms4325792TlvTypeMobileSMSMetaInfo
2112sms4326016TlvTypeMobileSMSData
2112sms4326256TlvTypeSMSSenderNumber
2112sms4326512TlvTypeSMSRecipientNumber
2112sms4326528TlvTypeSMSInformation
2112sms4326768TlvTypeSMSDirection
2112sms4327040×unknown
2144address book mobile4391328TlvTypeMobileAddressBookMetaInfo
2144address book mobile4391552TlvTypeMobileAddressBookData
2152address book checksum mobile4407360TlvTypeMobileAddressBookChecksum
2176mobile blackberry4456864TlvTypeMobileBlackberryMessengerMetaInfo
2176mobile blackberry4457088TlvTypeMobileBlackberryMessengerData
2176mobile blackberry4457328TlvTypeMobileBlackberryMsChatID
2176mobile blackberry4457600TlvTypeMobileBlackberryMsConversationPartners
2208mobile tracking4522400TlvTypeMobileTrackingStartRequest
2208mobile tracking4522656TlvTypeMobileTrackingStopRequest
2208mobile tracking4523376TlvTypeMobileTrackingDataV10
2214mobile config tracking4535200TlvTypeMobileTrackingConfig
2214mobile config tracking4535440TlvTypeMobileTrackingConfigRaw
2216mobile tracking4538432TlvTypeMobileTrackingTimeInterval
2216mobile tracking4538688TlvTypeMobileTrackingDistance
2216mobile tracking4538928TlvTypeMobileTrackingSendOnAnyChannel
2240mobile call phone4587936TlvTypeMobilePhoneCallLogsMetaInfo
2240mobile call phone4588192TlvTypeMobilePhoneCallLogsData
2240mobile call phone4588400TlvTypeMobilePhoneCallLogsType
2240mobile call phone4588672TlvTypeMobilePhoneCallAdditionalInformation
2240mobile call phone4588912TlvTypeMobilePhoneCallLogsCallerNumber
2240mobile call phone4589168TlvTypeMobilePhoneCallLogsCalleeNumber
2240mobile call phone4589440TlvTypeMobilePhoneCallLogsCallerName
2241name call phone logs mobile callee4589696TlvTypeMobilePhoneCallLogsCalleeName
2242last call phone entry mobile endtime log4591680TlvTypeMobilePhoneCallLogLastEntryEndtime
3072mobile logging6291872TlvTypeMobileLoggingMetaInfo
3072mobile logging6292096TlvTypeMobileLoggingData
3616master agent7405984TlvTypeMasterAgentLogin
3616master agent7406240TlvTypeMasterAgentLoginAnswer
3616master agent7406752TlvTypeMasterAgentTargetList
3616master agent7407008TlvTypeMasterAgentTargetOnlineList
3616master agent7407264TlvTypeMasterAgentTargetInfoReply
3616master agent7407520TlvTypeMasterAgentUserList
3617master agent list7407776TlvTypeMasterAgentUserListReply
3617master agent list7408032TlvTypeMasterAgentTargetArchivedList
3617master agent list7408288TlvTypeMasterAgentTargetListEx
3617master agent list7408544TlvTypeMasterAgentTargetOnlineListEx
3617master agent list7408800TlvTypeMasterAgentMobileTargetArchivedList
3617master agent list7409056TlvTypeMasterAgentMobileTargetList
3617master agent list7409312TlvTypeMasterAgentMobileTargetOnlineList
36187409824TlvTypeMasterAgentQueryFirst
36187410080TlvTypeMasterAgentQueryNext
36187410336TlvTypeMasterAgentQueryLast
36187410592TlvTypeMasterAgentQueryAnswer
36187410848TlvTypeMasterAgentRemoveRecord
36187411104TlvTypeMasterAgentTargetInfoExReply
36187411344TlvTypeTargetInfoExProperty
36187411616TlvTypeTargetInfoExPropertyValue
36197411840TlvTypeTargetInfoExPropertyValueName
36197411968TlvTypeTargetInfoExPropertyValueData
36197412384TlvTypeMasterAgentAlarm
3620master agent7413920TlvTypeMasterAgentRetrieveData
3620master agent7414176TlvTypeMasterAgentRetrieveDataAnswer
3620master agent7414432TlvTypeMasterAgentRemoveUser
3620master agent7414688TlvTypeMasterAgentRemoveTarget
3620master agent7414944TlvTypeMasterAgentRetrieveDataComments
3620master agent7415200TlvTypeMasterAgentUpdateDataComments
3620master agent7415712TlvTypeMasterAgentRetrieveActivityLogging
3621master agent7415968TlvTypeMasterAgentRetrieveMasterLogging
3621master agent7416224TlvTypeMasterAgentRetrieveAgentActivityLogging
3621master agent7417248TlvTypeMasterAgentSendUserGUIConfig
3621master agent7417504TlvTypeMasterAgentGetUserGUIConfigRequest
3621master agent7417760TlvTypeMasterAgentGetUserGUIConfigReply
3622master agent7418016TlvTypeMasterAgentProxyList
3622master agent7418272TlvTypeMasterAgentProxyInfoReply
3622master agent7419040TlvTypeMasterAgentNameValuePacket
3622master agent7419248TlvTypeMasterAgentValueName
3622master agent7419392TlvTypeMasterAgentValueData
3622master agent7419808TlvTypeMasterAgentRetrieveTargetHistory
3623install master agent7421088TlvTypeMasterAgentInstallMasterLicense
3623install master agent7421344TlvTypeMasterAgentInstallSoftwareUpdate
3623install master agent7421600TlvTypeMasterAgentInstallSoftwareUpdateChunk
3623install master agent7421856TlvTypeMasterAgentInstallSoftwareUpdateDone
3624master agent7422112TlvTypeMasterAgentSoftwareUpdateInfo
3624master agent7422368TlvTypeMasterAgentSoftwareUpdateInfoReply
3624master agent7422624TlvTypeMasterAgentSoftwareUpdate
3624master agent7422880TlvTypeMasterAgentSoftwareUpdateReply
3624master agent7423136TlvTypeMasterAgentSoftwareUpdateNext
3624master agent7423392TlvTypeMasterAgentAddTimeSchedule
3624master agent7423648TlvTypeMasterAgentAddScreenSchedule
3624master agent7423904TlvTypeMasterAgentAddLockedSchedule
3625master agent7424160TlvTypeMasterAgentRemoveSchedule
3625master agent7424416TlvTypeMasterAgentGetSchedulerList
3625master agent7424672TlvTypeMasterAgentSchedulerTimeAction
3625master agent7424928TlvTypeMasterAgentSchedulerScreenAction
3625master agent7425184TlvTypeMasterAgentSchedulerLockedAction
3625master agent7425440TlvTypeMasterAgentProjectSoftwareUpdateInfo
3625master agent7425696TlvTypeMasterAgentProjectSoftwareUpdateInfoReply
3625master agent7425952TlvTypeMasterAgentProjectSoftwareUpdate
3626master agent7426112TlvTypeMasterAgentSchedulerID
3626master agent7426368TlvTypeMasterAgentSchedulerStartTime
3626master agent7426624TlvTypeMasterAgentSchedulerStopTime
3626master agent7427488TlvTypeMasterAgentAddRecordedDataAvailableSchedule
3626master agent7427744TlvTypeMasterAgentSchedulerRecordedDataAvailableAction
3627master agent data7428256TlvTypeMasterAgentRetrieveRemoteMasterData
3627master agent data7428512TlvTypeMasterAgentRetrieveRemoteMasterDataReply
3627master agent data7428768TlvTypeMasterAgentDeleteRemoteMasterData
3627master agent data7429024TlvTypeMasterAgentRetrieveOfflineMasterData
3627master agent data7429280TlvTypeMasterAgentRetrieveOfflineMasterDataReply
3627master agent data7429536TlvTypeMasterAgentDeleteOfflineMasterData
3628master agent7430304TlvTypeMasterAgentQueryFirstEx
3628master agent7430560TlvTypeMasterAgentQueryNextEx
3628master agent7430816TlvTypeMasterAgentQueryLastEx
3628master agent7431072TlvTypeMasterAgentQueryAnswerEx
3628master agent7431328TlvTypeMasterAgentSendUserPreferences
3628master agent7431584TlvTypeMasterAgentGetUserPreferencesRequest
3628master agent7431840TlvTypeMasterAgentGetUserPreferencesReply
3628master agent7432096TlvTypeMasterAgentListMCFilesRequest
3629master agent mc7432608TlvTypeMasterAgentDeleteMCFiles
3629master agent mc7432864TlvTypeMasterAgentSendMCFiles
3629master agent mc7433120TlvTypeMasterAgentMCStatisticsRequest
3629master agent mc7433376TlvTypeMasterAgentMCStatisticsReply
3629master agent mc7433616TlvTypeMasterAgentMCStatisticsValues
3630master agent7434400TlvTypeMasterAgentTrojanKeyRequest
3630master agent7434656TlvTypeMasterAgentTrojanKeyReply
3630master agent7434912TlvTypeMasterAgentEvProtectionX509Request
3630master agent7435168TlvTypeMasterAgentEvProtectionX509Reply
3630master agent7435424TlvTypeMasterAgentEvProtectionImportCert
3630master agent7435680TlvTypeMasterAgentEvProtectionImportCertCompleted
3630master agent7435936TlvTypeMasterAgentConfigurationRequest
3630master agent7436192TlvTypeMasterAgentConfigurationReply
3631master agent configuration7436448TlvTypeMasterAgentConfigurationUpdateRequest
3631master agent configuration7436704TlvTypeMasterAgentConfigurationUpdateRequestCompleted
3631master agent configuration7436944TlvTypeMasterAgentConfiguration
3631master agent configuration7437216TlvTypeMasterAgentConfigurationValue
3631master agent configuration7437424TlvTypeMasterAgentConfigurationValueName
3631master agent configuration7437568TlvTypeMasterAgentConfigurationValueData
3631master agent configuration7437984TlvTypeMasterAgentConfigurationTransferDone
3632master agent7438496TlvTypeMasterAgentRetrieveTargetFile
3632master agent7438752TlvTypeMasterAgentRetrieveTargetFileAnswer
3632master agent7438912TlvTypeMasterAgentAlarmEntryID
3632master agent7439168TlvTypeMasterAgentAlarmEntryVersion
3632master agent7439424TlvTypeMasterAgentAlarmTriggerFlags
3632master agent7439776TlvTypeMasterAgentGetAlarmList
3632master agent7440032TlvTypeMasterAgentAddAlarmEntry
3632master agent7440288TlvTypeMasterAgentRemoveAlarmEntry
3633master agent7440544TlvTypeMasterAgentAlarmEntry
3633master agent7440800TlvTypeMasterAgentSystemStatus
3633master agent7441056TlvTypeMasterAgentSystemStatusRequest
3633master agent7441312TlvTypeMasterAgentSystemStatusReply
3633master agent7441552TlvTypeMasterAgentLicenseValues
3633master agent7441824TlvTypeMasterAgentLicenseValuesRequest
3633master agent7442080TlvTypeMasterAgentLicenseValuesReply
3634master agent7442592TlvTypeMasterAgentGetNetworkConfigurationRequest
3634master agent7442848TlvTypeMasterAgentSetNetworkConfigurationRequest
3634master agent7443104TlvTypeMasterAgentSetNetworkConfigurationReply
3634master agent7443360TlvTypeMasterAgentRetrieveAllowedModulesList
3634master agent7443616TlvTypeMasterAgentRetrieveAllowedModulesListAnswer
3636master agent7446688TlvTypeMasterAgentRemoveAllTargetData
3636master agent7446944TlvTypeMasterAgentForceDownloadRecordedData
3636master agent7447200TlvTypeMasterAgentTargetCreateNotification
3636master agent7447456TlvTypeMasterAgentMobileTargetInfoReply
3636master agent7447696TlvTypeMasterAgentMobileTargetInfoValues
3638master agent alert7450784TlvTypeMasterAgentAlert
3640master agent7454880TlvTypeMasterAgentAddUser
3640master agent7455392TlvTypeMasterAgentAddUserReply
3640master agent7455648TlvTypeMasterAgentModifyUser
3640master agent7455904TlvTypeMasterAgentSetUserPermission
3640master agent7456160TlvTypeMasterAgentSetTargetPermission
3640master agent7456400TlvTypeMasterAgentUserPermission
3640master agent7456656TlvTypeMasterAgentTargetPermission
3641master agent7456928TlvTypeMasterAgentUserPermissionValuePacket
3641master agent7457184TlvTypeMasterAgentTargetPermissionValuePacket
3641master agent7457344TlvTypeMasterAgentUserPermissionValueName
3641master agent7457600TlvTypeMasterAgentTargetPermissionValueName
3641master agent7457856TlvTypeMasterAgentUserPermissionValueData
3641master agent7458112TlvTypeMasterAgentTargetPermissionValueData
3641master agent7458464TlvTypeMasterAgentModifyPassword
3641master agent7458656TlvTypeMasterAgentMobileTargetPermissionValueName
3642master agent7458976TlvTypeMasterAgentUploadFile
3642master agent7459232TlvTypeMasterAgentUploadFileChunk
3642master agent7459488TlvTypeMasterAgentUploadFileDone
3642master agent7459744TlvTypeMasterAgentUploadFilesTransferDone
3642master agent7460000TlvTypeMasterAgentGetTargetModuleConfigRequest
3642master agent7460256TlvTypeMasterAgentRemoveFile
3642master agent7460512TlvTypeMasterAgentMobileProxyList
3642master agent7460768TlvTypeMasterAgentSMSProxyList
3643master agent7461024TlvTypeMasterAgentSMSProxyInfoReply
3643master agent7461280TlvTypeMasterAgentCallPhoneNumberList
3643master agent7461536TlvTypeMasterAgentCallPhoneNumberInfoReply
3643master agent7461792TlvTypeMasterAgentGetMobileTargetModuleConfigRequest
3643master agent7462048TlvTypeMasterAgentSendSMS
3647master agent7469984TlvTypeMasterAgentEncryptionRequired
3647master agent7470240TlvTypeMasterAgentFileCompleted
3647master agent7470496TlvTypeMasterAgentRequestCompleted
3647master agent7470752TlvTypeAgentMasterComm
3647master agent7471008TlvTypeMasterAgentRequestStatus
3648master7471424TlvTypeProxyMasterCommSig
3648master7471520TlvTypeMasterTargetConn
3648master7471776TlvTypeProxyMasterComm
3648master7472032TlvTypeMasterProxyComm
3648master7472288TlvTypeProxyMasterHeartBeatAnswer
3648master7472544TlvTypeProxyMasterDisconnect
3648master7472704TlvTypeProxyMasterNotification
3648master7473056TlvTypeProxyMasterRequest
3649master7473312TlvTypeMasterProxyCommNotification
3649master7473568TlvTypeMasterCheckTargetDisconnect
3680target proxy7536960TlvTypeProxyTargetCommSig
3680target proxy7537312TlvTypeProxyTargetComm
3680target proxy7537568TlvTypeProxyMasterTargetComm
3680target proxy7537728TlvTypeProxyTargetRequestCrypto
3680target proxy7538064TlvTypeProxyTargetAnswerCrypto
3744target7668128TlvTypeMasterTargetComm
3744target7668384TlvTypeTargetCloseAllLiveStreaming
3776relay7733664TlvTypeRelayProxyComm
3776relay7734176TlvTypeRelayDummyHeartbeat
4032test type meta8257792TlvTypeTestMetaTypeInvalid
4032test type meta8258608TlvTypeTestMetaTypeBool
4032test type meta8258880TlvTypeTestMetaTypeUInt
4032test type meta8259152TlvTypeTestMetaTypeInt
4032test type meta8259440TlvTypeTestMetaTypeString
4033test8259712TlvTypeTestMetaTypeUnicode
4033test8259984TlvTypeTestMetaTypeRaw
4033test8260256TlvTypeTestMetaTypeGroup
4033test8260416TlvTypeTestMemberIdentifier
4033test8260736TlvTypeTestMemberName
4096target8389008TlvTypeTargetData
4096target8389280TlvTypeTargetHeartBeat
4096target8389680TlvTypeTargetKeepSessionAlive
4096target8390000TlvTypeTargetLocalIP
4096target8390256TlvTypeTargetGlobalIP
4096target8390448TlvTypeTargetState
4097agent master8390784TlvTypeTargetID
4097agent master8391072TlvTypeGetInstalledModulesRequest
4097agent master8391328TlvTypeInstalledModulesReply
4097agent master8391488TlvTypeTrojanUID
4097agent master8391808TlvTypeTrojanID
4097agent master8392000TlvTypeTrojanMaxInfections
4097agent master8392240TlvTypeScreenSaverOn
4097agent master8392496TlvTypeScreenLocked
4098agent master8392752TlvTypeRecordedDataAvailable
4098agent master8393024TlvTypeDownloadedRecordedDataTimeStamp
4098agent master8393280TlvTypeInstallationMode
4098agent master8393552TlvTypeTargetRemoveNotification
4098agent master8393792TlvTypeTargetPlatformBits
4098agent master8394032TlvTypeRemoveItselfMaxInfectionReached
4098agent master8394288TlvTypeRemoveItselfAtMasterRequest
4098agent master8394544TlvTypeRemoveItselfAtAgentRequest
4099agent master8394912TlvTypeRemoveItselfAtAgentReqRequest
4099agent master8395072TlvTypeRecordedFilesDownloadTotal
4099agent master8395328TlvTypeRecordedFilesDownloadProgress
4099agent master8395632TlvTypeTargetLicenseInfo
4099agent master8395840TlvTypeRemoveTargetLicenseInfo
4099agent master8396176TlvTypeTargetAllConfigurations
4100target error8396960TlvTypeTargetError
4102target config8401056TlvTypeGetTargetConfigRequest
4102target config8401312TlvTypeTargetConfigReply
4102target config8401568TlvTypeSetTargetConfigRequest
4102target config8402304TlvTypeConfigTargetID
4102target config8402496TlvTypeConfigTargetHeartbeatInterval
4102target config8402800TlvTypeConfigTargetProxy
4103agent master8403008TlvTypeConfigTargetPort
4103agent master8403584TlvTypeConfigAutoRemovalDateTime
4103agent master8403776TlvTypeConfigAutoRemovalIfNoProxy
4103agent master8404032TlvTypeInternalAutoRemovalElapsedTime
4104active hiding config8405040TlvTypeConfigActiveHiding
4106target module8409248TlvTypeTargetLoadModuleRequest
4106target module8409504TlvTypeTargetLoadModuleReply
4106target module8409760TlvTypeTargetUnLoadModuleRequest
4106target module8410016TlvTypeTargetUnLoadModuleReply
4106target module8410272TlvTypeTargetUploadModuleRequest
4106target module8410528TlvTypeTargetUploadModuleReply
4106target module8410784TlvTypeTargetUploadModuleChunk
4106target module8411040TlvTypeTargetUploadModuleDoneRequest
4107target module8411296TlvTypeTargetUploadModuleDoneReply
4107target module8411552TlvTypeTargetRemoveModuleRequest
4107target module8411808TlvTypeTargetRemoveModuleReply
4107target module8412064TlvTypeTargetOfflineUploadModuleRequest
4107target module8412320TlvTypeTargetOfflineUploadModuleReply
4107target module8412576TlvTypeTargetOfflineUploadModuleChunk
4107target module8412832TlvTypeTargetOfflineUploadModuleDoneRequest
4107target module8413088TlvTypeTargetOfflineUploadModuleDoneReply
4108target error8413344TlvTypeTargetOfflineError
4108target error8413600TlvTypeTargetUploadError
4109files reply master list agent mc8415392TlvTypeMasterAgentListMCFilesReply
4110target recorded8417440TlvTypeTargetGetRecordedFilesRequest
4110target recorded8417696TlvTypeTargetRecordedFilesReply
4110target recorded8417952TlvTypeTargetRecordedFileDownloadRequest
4110target recorded8418208TlvTypeTargetRecordedFileDownloadReply
4110target recorded8418464TlvTypeTargetRecordedFileDownloadChunk
4110target recorded8418720TlvTypeTargetRecordedFileDownloadCompleted
4110target recorded8418976TlvTypeTargetRecordedFileDeleteRequest
4110target recorded8419232TlvTypeTargetRecordedFileDeleteReply
4111target recorded ex8419488TlvTypeTargetGetRecordedFilesRequestEx
4111target recorded ex8419744TlvTypeTargetRecordedFilesReplyEx
4111target recorded ex8420000TlvTypeTargetRecordedFileDeleteRequestEx
4111target recorded ex8420256TlvTypeTargetRecordedFilesDownloadRequestEx
4128data8454544TlvTypeProxyData
4128data8454800TlvTypeRelayData
4130proxy8458400TlvTypeProxyTargetDisconnect
4130proxy8458656TlvTypeProxyMobileTargetDisconnect
4130proxy8458912TlvTypeProxyDummyHeartbeat
4130proxy8459168TlvTypeProxyMobileDummyHeartbeat
4160master8520080TlvTypeMasterData
4160master8520768TlvTypeMasterMode
4160master8521024TlvTypeMasterToken
4160master8521344TlvTypeMasterQueryResult
4161string master alarm8522368TlvTypeMasterAlarmString
4192agent8585616TlvTypeAgentData
4192agent8585808TlvTypeAgentQueryID
4192agent8586048TlvTypeAgentQueryModSubmodID
4192agent8586304TlvTypeAgentQueryFromDate
4192agent8586560TlvTypeAgentQueryToDate
4192agent8586816TlvTypeAgentQuerySortOrder
4192agent8587136TlvTypeAgentQueryValueFilter
4193uid agent8587328TlvTypeAgentUID
4224mobile8651152TlvTypeMobileTargetData
4224mobile8651376TlvTypeMobileTargetHeartBeatV10
4224mobile8651632TlvTypeMobileTargetExtendedHeartBeatV10
4224mobile8651888TlvTypeMobileHeartBeatReplyV10
4225installed reply modules mobile8653472TlvTypeMobileInstalledModulesReply
4225installed reply modules mobile8652912×unknown
4226module upload mobile target8655008TlvTypeMobileTargetOfflineUploadModuleRequest
4226module upload mobile target8656032TlvTypeMobileTargetUploadModuleRequest
4226module upload mobile target8656288TlvTypeMobileTargetUploadModuleReply
4226module upload mobile target8656544TlvTypeMobileTargetUploadModuleChunk
4226module upload mobile target8656800TlvTypeMobileTargetUploadModuleDoneRequest
4227target mobile8657056TlvTypeMobileTargetUploadModuleDoneReply
4227target mobile8657312TlvTypeMobileTargetRemoveModuleRequest
4227target mobile8657568TlvTypeMobileTargetRemoveModuleReply
4227target mobile8657824TlvTypeMobileTargetOfflineUploadModuleReply
4227target mobile8658080TlvTypeMobileTargetOfflineUploadModuleChunk
4227target mobile8658336TlvTypeMobileTargetOfflineUploadModuleDoneRequest
4227target mobile8658592TlvTypeMobileTargetOfflineUploadModuleDoneReply
4227target mobile8658848TlvTypeMobileTargetOfflineError
4228mobile target8659104TlvTypeMobileTargetError
4228mobile target8659360TlvTypeMobileTargetGetRecordedFilesRequest
4228mobile target8659616TlvTypeMobileTargetRecordedFilesReply
4228mobile target8659872TlvTypeMobileTargetRecordedFileDownloadRequest
4228mobile target8660128TlvTypeMobileTargetRecordedFileDownloadReply
4228mobile target8660384TlvTypeMobileTargetRecordedFileDownloadChunk
4228mobile target8660640TlvTypeMobileTargetRecordedFileDownloadCompleted
4228mobile target8660896TlvTypeMobileTargetRecordedFileDeleteRequest
4229target reply delete mobile recorded file8661152TlvTypeMobileTargetRecordedFileDeleteReply
4230mobile config target8663968TlvTypeMobileTargetOfflineConfig
4230mobile config target8664224TlvTypeMobileTargetEmergencyConfigAsTLV
4230mobile config target8664432TlvTypeMobileTargetEmergencyConfig
4234load module mobile target8671392TlvTypeMobileTargetLoadModuleRequest
4234load module mobile target8671648TlvTypeMobileTargetLoadModuleReply
4234load module mobile target8671904TlvTypeMobileTargetUnLoadModuleRequest
4234load module mobile target8672160TlvTypeMobileTargetUnLoadModuleReply
4236target error8675472TlvTypeMobileTargetHeartbeatEvents
4236agent master files mc reply list8675648TlvTypeMobileTargetHeartbeatInterval
4236recorded target8675984TlvTypeMobileTargetHeartbeatRestrictions
4236recorded target8676208TlvTypeConfigSMSPhoneNumber
4236recorded target8676496TlvTypeMobileTargetPositioning
4236recorded target8676672TlvTypeMobileTrojanUID
4236recorded target8676976TlvTypeMobileTrojanID
4236recorded target8677296TlvTypeMobileTargetLocationChangedRange
4237config8677440TlvTypeConfigMobileAutoRemovalDateTime
4237config8677808TlvTypeConfigOverwriteProxyAndPhones
4237config8678000TlvTypeConfigCallPhoneNumber
4238ex recorded target8679488TlvTypeLocationAreaCode
4238ex recorded target8679744TlvTypeCellID
4238ex recorded target8680048TlvTypeMobileCountryCode
4238data8680304TlvTypeMobileNetworkCode
4238data8680560TlvTypeIMSI
4238proxy8680816TlvTypeIMEI
4238proxy8681072TlvTypeGPSLatitude
4238proxy8681328TlvTypeGPSLongitude
4239proxy8681520TlvTypeFirstHeartbeat
4239master8681872TlvTypeInstalledModules
4240gps valid values8683568TlvTypeValidGPSValues
4288mobile proxy comm target8782176TlvTypeProxyMobileTargetCommSig
4288mobile proxy comm target8782496TlvTypeProxyMobileTargetComm
4288mobile proxy comm target8782752TlvTypeProxyMasterMobileTargetComm
4384master mobile8978752TlvTypeMobileProxyMasterCommSig
4384master mobile8978848TlvTypeMasterMobileTargetConn
4384master mobile8979104TlvTypeMobileProxyMasterComm
4384master mobile8979360TlvTypeMobileMasterProxyComm
4384master mobile8979616TlvTypeProxyMasterMobileHeartBeatAnswer
4384master mobile8979872TlvTypeMobileMasterProxyCommNotification
8128agent16646544TlvTypePlaintext
8128agent uid16646800TlvTypeCompression
8128mobile16647056TlvTypeEncryption
8128mobile16647232TlvTypeTargetUID
8128mobile16647536TlvTypeIPAddress
8128mobile16647808TlvTypeUserName
8128installed reply modules mobile16648064TlvTypeComputerName
8129installed reply modules mobile16648304TlvTypeLoginName
8129module upload mobile target16648560TlvTypePassphrase
8129module upload mobile target16648832TlvTypeRecordID
8129module upload mobile target16649088TlvTypeOwner
8129module upload mobile target16649344TlvTypeMetaData
8129module upload mobile target16649536TlvTypeModuleID
8129mobile target16649856TlvTypeOSName
8129mobile target16650048TlvTypeModuleSubID
8130mobile target16650320TlvTypeErrorCode
8130mobile target16650560TlvTypeOffset
8130mobile target16650816TlvTypeLength
8130mobile target16651088TlvTypeRequestID
8130mobile target16651328TlvTypeRequestType
8130mobile target16651584TlvTypeVersion
8130mobile target16651840TlvTypeMachineID
8130mobile target16652096TlvTypeMajorNumber
8131mobile target16652352TlvTypeMinorNumber
8131mobile target16652656TlvTypeGlobalIPAddress
8131mobile target16652912TlvTypeASCII_Filename
8131mobile target16653120TlvTypeFilesize
8131mobile target16653392TlvTypeFilecount
8131mobile target16653712TlvTypeFiledata
8131target reply recorded delete file mobile16653968TlvTypeMD5Sum
8131mobile target config16654144TlvTypeProxyPort
8132mobile target config16654400TlvTypeStatus
8132mobile target config16654656TlvTypeUserID
8132module load mobile target16654912TlvTypeGroupID
8132module load mobile target16655168TlvTypePermissions
8132module load mobile target16655424TlvTypeRequestCode
8132module load mobile target16655680TlvTypeDataSize
813216655936TlvTypeKeyType
813216656240TlvTypeEmail
813316656432TlvTypeEnabled
813316656688TlvTypeLicensed
813316656960TlvTypeAudioFrequency
813316657216TlvTypeAudioBitsPerSample
813316657472TlvTypeAudioChannels
813316657728TlvTypeStartTime
8133config16657984TlvTypeStopTime
8133config16658240TlvTypeBitMask
8134config16658560TlvTypeTimeZone
813416658816TlvTypeDateTime
813416659072TlvTypeStartSessionDateTime
813416659328TlvTypeStopSessionDateTime
813416659520TlvTypeDateTimeRef
813416659776TlvTypeScheduleRepeat
813416660032TlvTypeUnixMasterDateTime
813416660288TlvTypeUnixUTCDateTime
813516660544TlvTypeDurationInSeconds
813516660864TlvTypeMasterRefTime
813516661120TlvTypeMasterRefTimeStart
8135values gps valid16661376TlvTypeMasterRefTimeEnd
813516661568TlvTypeCounter
813516661888TlvTypeWhiteListEntry
813516662144TlvTypeBlackListEntry
813516662336TlvTypeBlackWhiteListingMode
8136config16662576TlvTypeConfigEnabled
8136config16662848TlvTypeConfigMaxRecordingSize
8136config16663104TlvTypeConfigAudioQuality
8136config16663344TlvTypeConfigVideoBlackAndWhite
8136config16663616TlvTypeConfigVideoResolution
8136config16663872TlvTypeConfigCaptureFrequency
8136config16664128TlvTypeConfigVideoQuality
8136config16664384TlvTypeConfigFilesStandardFilter
8137config16664704TlvTypeConfigFilesCustomFilter
8137config16664896TlvTypeConfigStandardLocation
8137config16665216TlvTypeConfigCustomLocation
8137config16665408TlvTypeConfigFileChunkSize
8137config16665664TlvTypeConfigFileTransferSpeed
8137config16665904TlvTypeConfigUploadFileOverwrite
8137config16666160TlvTypeConfigDeleteOverReboot
8137config16666496TlvTypeConfigCustomLocationException
8138master mobile16666752TlvTypeExtraData
8138master mobile16667008TlvTypeSignature
813816667264TlvTypeComments
813816667520TlvTypeDescription
813816667776TlvTypeFilenameExtension
813816668032TlvTypeSessionType
813816668224TlvTypePeriod
813816668512TlvTypeMobileTargetUID
813916668784TlvTypeMobileTargetID
813916669072TlvTypeMobilePlaintext
813916669328TlvTypeMobileCompression
813916669584TlvTypeMobileEncryption
813916669824TlvTypeEncodingType
813916670576TlvTypePhoneNumber
8140custom config location mode16670784TlvTypeConfigCustomLocationMode
8140custom config location mode16672080×unknown
8140custom config location mode16671792×unknown
8142network interface16674928TlvTypeNetworkInterface
8142network interface16675136TlvTypeNetworkInterfaceMode
8142network interface16675440TlvTypeNetworkInterfaceAddress
8142network interface16675696TlvTypeNetworkInterfaceNetmask
8142network interface16675952TlvTypeNetworkInterfaceGateway
8142network interface16676208TlvTypeNetworkInterfaceDNS_1
8142network interface16676464TlvTypeNetworkInterfaceDNS_2
814316677440TlvTypeLoginTime
814316677696TlvTypeLogoffTime
814316678720TlvTypeGeneric_Type
814416678976TlvTypeChecksum
814416679280TlvTypeCity
814416679536TlvTypeCountry
814416679792TlvTypeCountryCode
814616683072TlvTypeTargetType
814616683392TlvTypeDurationString
814616683904×unknown
814616684848×unknown
816016712000TlvTypeTargetConnectionBroken
816016712256TlvTypeAgentConnectionBroken
816016712512TlvTypeTargetOffline
817616744768TlvTypeProxyConnectionBroken
42428688960×unknown
42428689296×unknown
42428689568×unknown
27525636992×unknown
27525637504×unknown
27525637760×unknown
27525636464×unknown
27525636736×unknown
27525637248×unknown
27535638256×unknown
27535638768×unknown
27545641600×unknown
27545640608×unknown
27545641120×unknown
27545640864×unknown
27545640352×unknown
22184542832×unknown
22184542624×unknown
814716685104×unknown
814716685392×unknown
26585444000×unknown
26585444512×unknown
26565440320×unknown
26565439904×unknown
26605447840×unknown
27225575072×unknown
27225575328×unknown
2722config5575840×unknown
2560config5243552×unknown
2560config5243296×unknown
4244config8693104×unknown
4244config8692080×unknown
4244config8692336×unknown
4244config8692592×unknown
4244config8692848×unknown
4244config8693360×unknown
4244config8691872×unknown
2690config5509536×unknown
2690config5510048×unknown
2692config5513376×unknown
2688config5505856×unknown
2688config5505440×unknown
2592config5309088×unknown
26025329824×unknown
26025330592×unknown
26025329568×unknown
26025330080×unknown
25965317536×unknown
25965317792×unknown
25965318048×unknown
25965317280×unknown
25945313440×unknown
25945312928×unknown
25945313184×unknown
26005325216×unknown
25985321376×unknown
25985322144×unknown
2784mode location custom config5703584×unknown
2784mode location custom config5703328×unknown
2784mode location custom config5702816×unknown
2784interface network5702032×unknown
2784interface network5702304×unknown
2785interface network5703808×unknown
2785interface network5704064×unknown
1757interface network3600000×unknown
2696interface network5521552×unknown
2696interface network5521568×unknown
27205570960×unknown
27205571232×unknown
27565644432×unknown
27565644704×unknown
28485833104×unknown
28485833376×unknown
31046357392×unknown
31046357664×unknown
26645456016×unknown
26645456288×unknown
42438690064×unknown
42438690336×unknown
42438689712×unknown
23044719008×unknown
23044719232×unknown
31066361200×unknown
1642533639248×unknown
4878199903492×unknown
4160985215461×unknown
44949203775×unknown
2558652401552×unknown
2121443446532×unknown
2779356920439×unknown
2699255281185×unknown
4430890744648×unknown

Conclusion

SHA256DexDenConf. in APKTippyTimeTippyPadCert not beforeVT submissionSuspected build date
c2ce202e6e08c41e8f7a0b15e7d07817
04e17f8ed52d1b2ad7212ac29926436e
×××2016/10/102017/07/27approx. 2017/06/01
2f881b98088bbe91dc8fd003eed17f41
a35182a27663e6e103b2b6673b592350
××2014/10/212019/10/12
269227c4c4770e109e53c6cf87bd9bde
367843c4806f5975c5aa317f318e28a9
××2018/06/202019/03/24> 2017/12/07
1221bb41b315b5d6dc336a931eb4fb6f
eca7fe80e8dc42647c16686629767ec8
×2017/05/292017/09/13> 2017/05/29
269227c4c4770e109e53c6cf87bd9bde
367843c4806f5975c5aa317f318e28a9
××2018/06/202019/03/24> 2018/06/20
a504ba88c39c325589079afd7822cc4b
431182c8ec0304f21316e964b6e9eb7f
××2017/11/162018/07/31> 2017/11/16
854774a198db490a1ae9f06d5da5fe6a
1f683bf3d7186e56776516f982d41ad3
×2017/05/272019/11/27> 2017/05/27

Our analysis based on 3 different parameters: configuration location, string obfuscation and local socket address generation tends to demonstrate that the sample we have analyzed is (as far as we know) the only known FinSpy for Android sample storing its configuration directly into the DEX file (DexDen). Reports FinSpy Dokumentation yaraby Thorsten Schröder & Linus Neumann - CCC (Jan. 2020), AccessNow: FinFisher changes tactics to hooks critics (May 2018) and Hacking FinSpy by Sophos (2015) explain how the FinSpy configuration is stored in the APK file metadata. A retro-hunt on VT has found 0 samples (our sample excluded) storing the configuration the DEX. Changing the configuration location is a strong structural change indicating a suspected new version of FinSpy for Android.

A trend emerges when we focus on how the local socket address is generated and how strings are obfuscated. Old samples do not use a “magic” timestamp (TippyTime) in the generation algorithm nor pad-obfuscated strings (TippyPad). By analyzing briefly samples shared by CCC, we observed that since 2017, FinSpy seems to use TippyTime. However, only one sample use TippyPad string obfuscation.

Regarding unknown or undocumented TLV types, we have no clue indicating they are new or not since we have not analyzed other samples in deep and no unknown TLV types have ever been reported.

Sample behavioral analysis

The sample we analyze is heavily obfuscated:

  • strings are encoded at the class level;
  • Java methods are obfuscated (shortened);
  • control flow graph is broken by the heavy use of threads and IPC;
  • dummy calls are inserted between almost all the “useful” ones.

To analyze the sample, we firstly do a fast behavioral recon with Aether by extracting control flow graphs in which:

  • sinks are Java methods of interest;
  • sources are detected entry-points (i.e. services, threads, activities, …).

Secondly we extract TLV types involved in the different control flow graphs and then correlate the meaning of TLV with the meaning of actions done on the OS.

Configuration parsing

CFG locating the DEX file

CFG locating the DEX file

As we have seen before FinSpy stores its configuration into the DEX file. Thus, the first step for it is to locate the DEX file. On Android, the Java method android.content.Context.getPackageCodePath() returns the location of the APK which contains the original DEX (not the optimized one). Once located, the DEX file is copied at a randomly generated path into the cache directory. Once copied, the DEX loaded (or self-loaded since it is loaded by itself) using the Java method dalvik.system.DexClassLoader.loadClass().

CFG loading the DEX file

CFG loading the DEX file

Finally, FinSpy parses its configuration stored into the loaded DEX using a large switch-case statement.

CFG parsing the configuration

CFG parsing the configuration

The configuration stored into the current sample looks like:

  • TlvTypeMobileTargetID = “WIFI”
  • TlvTypeMobileTargetHeartbeatInterval = 120
  • TlvTypeMobileTargetPositioning = b’\x82\x87\x86\x81\x83'
  • TlvTypeConfigTargetProxy = “[redacted]”
  • TlvTypeConfigTargetProxy = “[redacted]”
  • TlvTypeConfigTargetPort = [redacted]
  • TlvTypeConfigSMSPhoneNumber = “[redacted]”
  • TlvTypeMobileTrojanID = “WIFI”
  • TlvTypeMobileTrojanUID = b’\xfc\x14\xb0\r'
  • TlvTypeUserID = 1000
  • TlvTypeTrojanMaxInfections = 9
  • TlvTypeConfigMobileAutoRemovalDateTime = Thu Jan 1 01:00:00 1970
  • TlvTypeConfigAutoRemovalIfNoProxy = 168
  • TlvTypeMobileTargetHeartbeatEvents = 173
  • TlvTypeMobileTargetHeartbeatRestrictions = b’\xd0\x00'
  • TlvTypeMobileTrackingDistance = 1000
  • TlvTypeMobileTrackingTimeInterval = 300
  • TlvTypeInstalledModules =
    • Logging: Off
    • Spy Call: Off
    • Call Interception: Off
    • SMS: On
    • Address Book: On
    • Tracking: On
    • Phone Logs: On

Note: Trojan UID is the AES sub-key used to encrypt/decrypt payloads exchange with the C2.

Emergency reconfiguration

FinSpy can be reconfigured by SMS, the Java method org.xmlpush.v3.q.c.a() is dedicated to that. FinSpy uses a lot of threads, probably not for performance purposes but to circumvent automatic reverse engineering of CFG. The following CFG shows the break in the CFG.

FinSpy reconfiguration

FinSpy reconfiguration

When an SMS corresponding to TlvTypeMobileTargetEmergencyConfig is received, FinSpy reconfigures itself by parsing the SMS payload. The following attributes can be reconfigured:

  • TlvTypeConfigTargetPort: port for C2 proxy
  • TlvTypeConfigSMSPhoneNumber: phone number for SMS based C2 communications
  • TlvTypeMobileTrojanID: unknown purpose
  • TlvTypeMobileTrojanUID: AES sub-key
  • TlvTypeUserID: unknown purpose
  • TlvTypeTrojanMaxInfections: unknown purpose
  • TlvTypeConfigMobileAutoRemovalDateTime: implant self-destruct past this date
  • TlvTypeConfigAutoRemovalIfNoProxy: implant self-destruct if C2 proxy is unavailable
  • TlvTypeMobileTargetHeartbeatRestrictions: conditions to avoid callbacks
  • TlvTypeMobileTargetHeartbeatEvents: events to trigger callbacks to the C2
  • TlvTypeMobileTargetLocationChangedRange: trigger updates based on location changes
  • TlvTypeInstalledModules: list of implant features and their configuration (SMS log, call log, etc.)
  • and other unknown parameters

Privilege escalation

Runtime command execution

Runtime command execution

FinSpy needs super user privileges to do things like access data of other applications. When started, the implant checks if su is available and then check if the user id is 0. We found no evidence of vulnerability exploitation (DirtyCow or SELinux abuse) like the ones mentioned in other publicly available reports. We did not find ELF hidden into the APK, DEX or into natives libraries packaged in the APK.

Either we have missed something or this sample is tailored to be implanted after exploitation.

Communication with C2

HTTP based exfiltration

HTTP based exfiltration

SMS based exfiltration

SMS based exfiltration

The implant can use both SMS and HTTP requests to send collected data to the command and control server. Both SMS and HTTP communications use the same marshaling schema based on TLV types describing data. Payload are encrypted before being sent. The encryption mechanism is the same as the one described in AccessNow: FinFisher changes tactics to hooks critics.

Self-destruction capability

FinSpy self-destruct script generation

FinSpy self-destruct script generation

Since FinSpy has the ability to remove itself, it generates a shell script /system/etc/xrebuild.sh listed below.

#!/system/bin/sh
mount -o rw,remount /system
am force-stop <package name>
dd if=/dev/zero of=<apk path> bs=1024 count=8192
find <path> | while read line; do dd if=/dev/zero of=$line bs=1024 count=8192; done

Then it makes the script executable and reboots the device.

The script writes zeros over the APK file and does the same for all files located into the application data directory. FinSpy can be configured to remove itself at a given date and time, when the C2 is not reachable for a given amount of time or when the implant receive a specific command. By filling all files with zeros, FinSpy prevents forensic investigation. The script generation takes in account the fact that the implant can be a system application or a regular application.

Data collection

FinSpy content changes tracking

FinSpy content changes tracking

Java class org.xmlpush.v3.Services registers the following content observers on:

  • changes on phone contact list
  • changes on SIM contact list
  • changes on SMS log
  • changes on calendar

Java class org.xmlpush.v3.eventbased.ReceiverService listens to the following events:

  • new outgoing phone call
  • new data SMS received
  • SIM card has been changed

Numerous threads are started to periodically check device location and messenger applications files. Every time a change occurs on observed data or an event occurs, FinSpy collects data related to that change/event and sends it to the C2 either over HTTP or SMS.

Data collected and sent by default

The FinSpy code shows that all payloads sent to C2s contain at least:

  • trojan UID
  • phone number
  • timezone
  • current date and time
  • mobile operator name
  • country code based on mobile network
  • location area code
  • mobile cell ID

Messenger applications data exfiltration

FinSpy is designed to exfiltrate contacts, messages, groups, location and files of the following applications:

  • com.viber.voip
  • jp.naver.line.android
  • com.skype.raider
  • com.facebook.orca
  • com.futurebits.instamessage.free
  • jp.naver.line.android
  • com.viber.voip
  • com.skype.raider
  • com.futurebits.instamessage.free
  • com.bbm
  • ch.threema.app
  • org.telegram.messenger

FinSpy looks at the content of each application data directory (i.e. /data/data/com.futurebits.instamessage.free/). This capability has already been documented in many public reports.

Call log exfiltration

FinSpy exfiltrates the following information each time a call is placed:

  • caller’s phone number
  • callee’s phone number
  • caller’s name
  • callee’s name
  • call duration is seconds

SMS log exfiltration

FinSpy exfiltrates the following information each time a SMS received:

  • date and time
  • sender’s phone number
  • recipient’s phone number
  • SMS content

Calendar events exfiltration

FinSpy exfiltrates the following information each time a new event is added/edited:

  • attendees’ names
  • attendees’ emails
  • event title
  • event description
  • event location
  • event start and end date

Address book exfiltration

FinSpy exfiltrates the following information each time a modification is done on the address book:

  • work phone number
  • mobile phone number
  • home phone number
  • all other available phone numbers
  • display name
  • location
  • email addresses
  • postal addresses

FinSpy collects contacts stored in the phone memory and in the SIM card.

SIM information exfiltration

SIM information retrieval

SIM information retrieval

Each time the SIM card is changed, FinSpy sends the following data to the C2:

  • phone number
  • SIM serial number
  • IMEI
  • IMSI
  • network operator name

Location tracking

GPS based location tracking

GPS based location tracking

Network based location tracking

Network based location tracking

FinSpy periodically collects and sends the device location. It collects both GPS based location and network based location by using cells.